F5 Labs has released its 2024 DDoS Attack Trends report, revealing a significant 112% rise in Distributed Denial of Service (DDoS) attacks from 2022 to 2023. According to the report, the telecommunications industry faced the most dramatic surge, with a staggering 655% increase in attacks.
The report attributes the rise in DDoS attacks to several factors, including geopolitical unrest, easily exploited vulnerabilities, and the emergence of new botnets. “Through a combination of geopolitical unrest, trivially exploited vulnerabilities, and the emergence of new botnets, denial of service incidents have exploded since our 2023 DDoS Attack Trends report in February 2023,” said David Warburton, director of F5 Labs. Warburton added, “Clearly, the threat from DDoS attacks is constantly evolving, and as this report shows it is also growing. In a volatile environment, there can be no room for complacency.”
The report recorded 2,127 attacks in 2023, up from 1,003 attacks in 2022. Organisations faced an average of 11 attacks last year, with one particular organisation enduring 187 separate attacks, including the largest single attack recorded by F5 Labs.
DDoS attack sizes remained notably high throughout 2023, often exceeding 100Gbps and, in some cases, 500Gbps. February 2023 was an anomaly, seeing the month's largest attack coming in at under 10Gbps. Warburton contextualised this by noting, “The early months of 2023 were defined by a major law enforcement operation undertaken by Europol and international partners in December 2022.” He explained that these actions temporarily disrupted DDoS activity, but the impact was short-lived. “After a notably quiet February, by March we observed the largest recorded attack of the year, and over the course of 2023 we saw DDoS attacks bounce back to higher levels of activity than before," Warburton said.
The nature of DDoS attacks evolved over the past year, with a noticeable shift in the type of attacks. In early 2023, application layer attacks, such as HTTP(S) floods and DNS queries, had surged, constituting nearly 40% of all attacks. However, by the end of the year, the trend reversed, with volumetric and protocol attacks coming to the fore. Application attacks fell to around 25%, while volumetric and protocol attacks increased in share. These volumetric and protocol attacks had a broader size range, reaching up to 1Tbps.
Certain industries were hit particularly hard by the rise in DDoS attacks. Software and computer services accounted for 37% of all attacks, and although these attacks were smaller in size, they peaked with a 200Gbps attack in November. Telecommunications firms experienced an even more severe impact, with a 655% rise in the number of attacks, representing 23% of all DDoS incidents recorded in 2023. Additionally, the support services sector accounted for 11% of total attacks, including the largest recorded attack measuring 1Tbps in March.
The report also highlighted that DDoS attacks had significant geopolitical implications, affecting six countries disproportionately. The United States, France, Saudi Arabia, Italy, Belgium, and the United Kingdom were subjected to 80% of the total DDoS attacks recorded last year. Notably, the United States accounted for 38% of the attacks, experiencing more than double the incidents compared to France, the second-most affected country.
The EMEA region witnessed 57% of DDoS incidents in 2023, a dramatic increase compared to the previous year. Throughout the year, there was a notable rise in both the frequency of attacks and their peak bandwidth, with the largest attack in the region measuring just under 500Gbps in June.
Warburton cautioned that the DDoS landscape has become increasingly complex. “While many of the attacks monitored may be small, mitigation can be complex and remains essential. The duration of a DDoS attack may be fleeting, but its impact on reputation can be long-lasting. A managed service, monitored by experts who deal with DDoS attacks every day and backed by multi-terabit bandwidth capabilities, certainly offers the widest protection possible and can often be deployed with very little disruption."
For organisations that cannot entirely rely on a managed DDoS service, F5 Labs recommends deploying DNS firewalls to block malicious IP addresses and identify bot and non-human traffic. The report also stresses the importance of addressing new DoS attack vectors and remaining vigilant to geopolitical events. Robust cyber threat intelligence, according to Warburton, is essential for understanding threat actor activities and intentions.
